Endpoint detection and response (EDR) systems, along with antivirus protections, are increasingly targeted by threat actors employing sophisticated bypass and evasion techniques. A notable method in this ongoing battle is the utilization of BYOVD (Bring Your Own Vulnerable Driver) strategies, which necessitate the installation of vulnerable drivers to disable these security measures. However, a newly unveiled technique offers a more streamlined approach, eliminating the need for such installations.
Dubbed EDR-Freeze, this innovative exploit leverages Windows Error Reporting and the MiniDumpWriteDump function to effectively hibernate antivirus processes. This operation is conducted entirely in user mode, sidestepping the requirement for third-party tools. The technique was recently disclosed by the anonymous researcher known as Two One Seven Three on the platform Zero Salarium.
Using Windows Functions to Bypass EDR
The MiniDumpWriteDump function, part of the Windows DbgHelp library, is designed to create a minidump of a process for debugging purposes. A critical aspect of this function is its ability to suspend all threads within the target process during the dump process. As the researcher noted, “This is necessary because threads could otherwise be modifying memory while the dump is being written, leading to corruption or inconsistencies.” Microsoft advises that this function should be invoked from an external process to prevent potential deadlocks.
Two One Seven Three encountered two primary challenges: the rapid execution of MiniDumpWriteDump, which complicates the extension of its execution time, and the security measures surrounding EDR and antivirus processes, often protected by Protected Process Light (PPL). To navigate these hurdles, the researcher reverse-engineered the WerFaultSecure program, enabling the activation of MiniDumpWriteDump for any chosen process. By integrating this with the CreateProcessAsPPL tool, the researcher devised a method to leverage WerFaultSecure to overcome the PPL protection barrier.
“If a normal process can run a new process with PPL protection, then during the CreateProcess, we can force the child PPL process to suspend by using the CREATESUSPENDED flag,” the researcher explained. The PROCESSSUSPEND_RESUME privilege allows for the suspension and resumption of processes, although Process Explorer can only suspend processes protected with PPL, excluding those marked as antimalware. However, the researcher emphasized that this limitation is surmountable.
“With all the information above, if we can make WerFaultSecure perform the dump process and then call MiniDumpWriteDump with Antivirus processes, and then we suspend WerFaultSecure right at the moment it puts the target process into a suspended state, the target program will be suspended indefinitely because the process that could resume it, WerFaultSecure, has also been suspended,” the researcher stated.
EDR Bypass Through a Race Condition Attack
The researcher outlined a race condition attack comprising four distinct steps:
- Utilize CreateProcessAsPPL to execute WerFaultSecure with WinTCB-level protection;
- Configure the parameters for WerFaultSecure to facilitate the dump of the target process;
- Monitor the status of the target process until it reaches a suspended state;
- Employ OpenProcess with the PROCESSSUSPENDRESUME privilege and NtSuspendProcess to suspend the WerFaultSecure process.
A tool to execute this exploit has been made available on GitHub, prompting another researcher to swiftly develop a KQL rule for its detection. The Zero Salarium researcher pointed out a significant vulnerability in the BYOVD attack method: the necessity of carrying drivers with known software vulnerabilities, which can lead to severe disruptions on monitored target machines.
“With EDR-Freeze, exploiting the software vulnerability of the WerFaultSecure program available on Windows will address the weakness of the BYOVD technique. Additionally, we can flexibly control the programs of EDRs and Antimalware, deciding when they should run and when they should be suspended at will, ensuring that everything operates more smoothly,” the researcher concluded.
